Open Closed

Auth Server Issue Behind Nginx #7142


User avatar
0
NH-Support created
  • ABP Framework version: v8.0
  • UI Type: Angular
  • Database System: SQL Server,
  • Tiered (for MVC) or Auth Server Separated (for Angular): https://neoauth-uat-test.dawaa24.com/
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

i have an nginx acting as a proxy server and behind it there's an auth server (https://neoauth-uat-test.dawaa24.com/) hosted on IIS

i am requesting the endpoint https://neoauth-uat-test.dawaa24.com/connect/token to get the token and it's responding to me with 200 Status Code and give me access token and refresh token

those two tokens should be saved in the Auth Database

**The Problem is that it doesn't save any **

upon review the Auth logs i see this error

2024-05-05 14:23:46.556 +04:00 [ERR] An exception was thrown while deserializing the token. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {9f5dc130-2567-47b5-93b6-328773960f1d} was not found in the key ring. For more information go to https://aka.ms/aspnet/dataprotectionwarning at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) --- End of inner exception stack trace --- at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

I don't know if it's related or not but how can i solve this issue

I followed the Microsoft docs for configuring the Nginx for dot net from this link Configure Nginx

I completely lost and spend two days troubleshooting without getting anywhere

if someone can help with this i would be very grateful

Additional Note: https://neoauth-uat-test.dawaa24.com/ from the Web UI i can login to the Auth Server Like in the Picture


15 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can check this: https://stackoverflow.com/questions/63316682/the-key-was-not-found-in-the-key-ring-unable-to-validate-token

    I guess the cookies are not being forwarded correctly

  • User Avatar
    0
    NH-Support created

    Hi,

    You can check this: https://stackoverflow.com/questions/63316682/the-key-was-not-found-in-the-key-ring-unable-to-validate-token

    I guess the cookies are not being forwarded correctly

    Hi @liangshiwei

    Thanks for taking the time to answer

    I've reviewed the link you provided, i already have the Data Protection Enabled in my application some says that you need to turn on "Load User Profile" on the IIS App Pool Level, I have done this Also but still not working

    I inspected the Cookies that are being sent and received from a working Auth and it's the same as this one

    ======== Request and Response on the Current Auth Server ========

    --header 'CONTENT-TYPE: application/x-www-form-urlencoded' \
    --header 'Cookie: .AspNetCore.Antiforgery.7_7oYfNDO6o=CfDJ8LtEv6zYqhpBq8QoCOZvwRj3hMqmMyh66vLfrMAVYCv148iHN5tPU_bzT2X6HCUVVi-JUTtug8b1qj_lSkd1IjjzyfSTDqjdY_q8mlehq8dNo9W59nIjd_yZF-BhDhL3n7V3aQvnZviKIhGNlk4oXsc; XSRF-TOKEN=CfDJ8LtEv6zYqhpBq8QoCOZvwRjQKVLtds_flAMclBCWYxLMIwMvzs_ULBhOFK9G39SIsqa8Ro6psCiApU2jyQBkd-NzwEbEOPis-lq3vdDsjfcJkIJWOWJLZDV7TXjUDd1f-wHym2b5E13Y70-othvbhFw' \
    --data-urlencode 'client_id=Dawaa24Neo_App' \
    --data-urlencode 'grant_type=password' \
    --data-urlencode 'username=admin' \
    --data-urlencode 'password=********' \
    --data-urlencode 'scope=offline_access Dawaa24Neo SharedAuth'`
    

    Response:

    { "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDXXXXXXXXXXXXXXXXXXXXXXXXXXXX" }

    and it's not being saved in the Database DB OpenIddictTokens table counts after response is the same

    ======== Screenshot from a working Local Auth Server ========

    `curl --location --request POST 'https://dawaa24neoauthqa.nh.local/connect/token' \
    --header 'CONTENT-TYPE: application/x-www-form-urlencoded' \
    --data-urlencode 'client_id=Dawaa24Neo_App' \
    --data-urlencode 'grant_type=password' \
    --data-urlencode 'username=admin' \
    --data-urlencode 'password=**********' \
    --data-urlencode 'scope=offline_access Dawaa24Neo SharedAuth'`
    

    Response { "access_token": "eyJhbGciOiJSUzI1NiIsImtpXXXXXXXXXXXXXXXXXx", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCXXXXXXXXXXXXXXXXXXXXXXXXXXXx" }

    and it's saved correctly in the DB

    All headers seems to be there what am i missing here ?

  • User Avatar
    0
    NH-Support created

    Hi,

    You can check this: https://stackoverflow.com/questions/63316682/the-key-was-not-found-in-the-key-ring-unable-to-validate-token

    I guess the cookies are not being forwarded correctly

    can you please replicate the issue from your side if you have a running auth server, you just need to put an nginx infront of it

    here is my nginx config

    ============ upstream backend { # This is my backend Server IP # which has the Auth Server Running # You can put either IP or FQDN server 10.X.X.X; }

    server{ listen 80; listen 443 ssl; server_name neoauth-uat-test.dawaa24.com; ssl_certificate /etc/nginx/fullchain.pem; ssl_certificate_key /etc/nginx/cert.key; location / { proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Cookie $http_cookie; } }

    ===========

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Ok,

    I will check it.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Can you try not sending the cookie when requesting the access token?

  • User Avatar
    0
    NH-Support created

    Not working Also

    I have recorded a video for the issue (30 second) https://drive.google.com/file/d/1x9ZBnr3B5QQdOMbN3C7LTzWdr20X_71f/view?usp=sharing

    Please check

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    If you use this access_token to access the APIs, will it work?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Could you try change the logger level to debug and share the full logs? thanks.

  • User Avatar
    0
    NH-Support created

    If you use this access_token to access the APIs, will it work?

    yes it will work

    our Mobile Dev Team are currently using the token to access the Application API and it's working

  • User Avatar
    0
    NH-Support created

    Could you try change the logger level to debug and share the full logs? thanks.

    Sorry for late response, took me some time to get the Debug working

    i couldn't paste the logs here directly so i mailed them to you at shiwei.liang@volosoft.com,

    Please let me know if you got them Email Subject: Debug Info

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi

    Looks like a transaction problem.

    Could you change the EF Core logger level to debug and share the full logs?

  • User Avatar
    0
    NH-Support created

    Hi

    Looks like a transaction problem.

    Could you change the EF Core logger level to debug and share the full logs?

    Hi Mr. liangshiwei,

    Actually that's how I enabled the Debug so the log that i shared with you is actually the full log

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Ok, but no error details and stack are logged. sorry, I didn't find anything.

    You can check this to get the details for the exception. https://github.com/dotnet/efcore/issues/33319#issuecomment-2030777176

  • User Avatar
    0
    NH-Support created

    Hi,

    Ok, but no error details and stack are logged. sorry, I didn't find anything.

    You can check this to get the details for the exception. https://github.com/dotnet/efcore/issues/33319#issuecomment-2030777176

    Hi,

    Ok, I will ask the DevTeam To implement this and get back to you,

    I am a Deployment Guy, it seems like a complex task for me,

    but i just wondering if someone was able to get the Auth Server Working behind Nginx while the Nginx Do the SSL Offloading and the SSL Stuff,

    because if that's the Case then we need a Another Static IP (Public) DNATed to the Auth Server directly, or run it as HTTPS on non standard port like 8443 (which is not a good practice)

    Please keep the Ticket open, maybe someone faced the same issue or have a similar scenario and can help me solve it

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Ok.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 01, 2024, 05:35